Triage Thursday

Windows 11, TheHive Integration, and Family Updates


Welcome back to our Triage Thursday blog series, where we go over any and all updates for our Triage sandbox from the last week.

We’ve got a bit of a mix of things for you today, with a couple of exciting announcements to go along with our usual news about configuration extractors and detection updates:

Read on below for all the juicy details!

In other news we are still looking for a Go developer to join the Hatching team. If you’d like to be involved in the next steps of Triage’s journey - or know someone who might be - you can find the full job listing here. Feel free to reach out with any questions.

If you have any feedback on Triage or particular samples please do get in touch! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.

Not signed up yet? Head over to to register for a free account.

Windows 11 Support

As most of you are likely aware, back in June Microsoft announced Windows 11 as the next entry in the Windows lineup. Although it is not expected to go to full release until the end of the year, we have been hard at work with the Insider builds getting initial support in place to ensure we can hit the ground running when release arrives.

We’re pleased to say that we’ve been able to make good progress with this, and as such today have released the first version of our Windows 11 support for you to play around with!

Our default platform for Windows analyses will continue to be Windows 10 for the foreseeable future, but you can now select Windows 11 from the submission options or using Profiles. Naturally as this is not the final commercial version the precise details/appearance may change before the OS releases later in the year, but we will continue to keep an eye on updates and will be ready with support for whenever it becomes publicly available.

In the meantime feel free to experiment with it and see what you think!

TheHive Cortex Integration

Also this week we have added a new integration to our list of supported products - you can now ingest data directly into TheHive from Triage!

If you haven’t come across it before, TheHive is an open source security incident response platform designed to help with swiftly investigating and acting on security incidents. It works closely with MISP to make recording and tracking IoCs as simple as possible. The project also includes Cortex, an active response engine which has prebuilt automated analysis pipelines for many different types of incident or indicator.

The new integration plugs Triage directly into the Cortex engine, enabling users to execute files in the sandbox, fetch the results, and begin initial analysis of them without ever leaving TheHive’s interface.

You can find the Triage plugin built in to the latest release of TheHive’s Cortex engine, and the source code is available on Github here.

Massive thanks are due to Mikael Keri for building out this integration for us.

Check out details of our existing integrations with Splunk Phantom and PaloAlto’s Cortex XSOAR on our blog.

New Chinese Botnet

We recently observed some botnet samples which we were unable to find existing identification for online. The family appears to be targeting users in China specifically, with a range of functionality covering aspects of a backdoor, stealer and remote access trojan.

On deeper inspection it would appear that the family is likely related to or based on the old Nitol family, another China-based malware family which has been around since at least 2012. However it is clearly more than just a simple clone/fork of the original, as we were able to identify a number of key differences and improvements in this new family:

We have so far not come across any public family names for these new samples, so we have added detection as simply “Generic Chinese Botnet” while we wait for the community to give it a proper name.

Thanks to Twitter user @benkow_ for reporting the sample to us initially.


Indicators of Compromise:

Indicator Description
53b9a0465f0f42c412ba90058ed129e7e6c4c97f724f537a7e03c9931c8bbc60 Sample SHA256
"C:\Program Files (x86)\Microsoft Egkgcm\Wakkeos.exe" Win7 Command-line used to launch the final payload (in Windows 7) iwmiqsio Mutex created by Wakkeos.exe

CyberGate RAT

CyberGate is an old malware family with CitizenLab reporting that it goes all the way back to 2008.

The RAT is written in Delphi and shares a fair bit of its code with Xtreme RAT, another family from around the same time period (having been first observed for sale on forums in 2010). It boasts a fairly extensive list of features, but nothing out of the ordinary for this class of malware. Besides providing full manual remote access it can automatically steal browser credentials, download and execute additional files, capture the screen, and run a keylogger.

We added support for the family back in December last year, but have revisited it this week to implement a full configuration extractor which is able to dump a large number of settings fields including file and registry paths, keylogger settings and FTP credentials (where relevant).


Indicators of Compromise:

Indicator Description
2edc1d26a755fce3c36d97ee664473a24c09f653c38792118db34196cd638d06 Sample SHA256 Hash
9e0c6888bb6e17c927b7b52656b067562b7ef4607ca3963c8e13637235432c45 Sample SHA256 Hash
88ab0fb7aab828733d7fad8dd72ba73c7188803ed85c19d01a267ad7809cba44 Sample SHA256 Hash
7ef8a647eee5935219cea3f21cdc5a1fe28a53b177c6d3280e5ee8f2304b3e5c Sample SHA256 Hash
asade[.]no-ip[.]org C2 Domain
JOSE4[.]NO-IP[.]ORG C2 Domain
pinguela[.]dnsd[.]me C2 Domain
palotes12[.]chickenkiller[.]com C2 Domain
matreto[.]system-ns[.]co C2 Domain
narutao[.]duckdns[.]org C2 Domain

AvosLocker Ransomware

AvosLocker is a new ransomware which began operations around the end of June/start of July 2021. It was first reported on Twitter by @RakeshKrish12:

As with many modern ransomware families, the creators of AvosLocker have been actively recruiting affiliates through various forums rather than carrying out initial breaches themselves. Evidence suggests that they have already had multiple successes infecting companies.

As reported by MalwareBytes, the family does not attempt to be particularly stealthy during its infection as it is normally run manually by an operator with direct remote access to the compromised system. All encrypted files are renamed with a .avos file extension, and in each affected directory the malware creates a file called GET_YOUR_FILES_BACK.txt with the ransom instructions.

Check out the MalwareBytes blogpost for a very detailed breakdown of the family.


Indicators of Compromise:

Indicator Description
GET_YOUR_FILES_BACK.txt Ransomnote file name
.avos Encrypted file extension
ievah8eVki3Ho4oo Mutex created (by both samples)
hxxp://avos2fuj6olp6x36[.]onion Ransom payment URL
hxxp://avos53nnmi4u6amh[.]onion/ Ransom payment URL

MedusaLocker Ransomware

MedusaLocker was first seen in the wild during the 2nd half of September 2019 and quickly began to successfully infect victims. It is particularly potent due to a combination of robust methods to spread through a network and its persistence mechanisms.

SentinelOne reports that the family actively seeks to connect to networked resources, modifying the EnableLinkedConnections registry key as needed to ensure that mapped network drives are available for encryption. It also restarts the LanmanWorkstation service which handles network connections via SMB, ensuring maximum exposure for infection and lateral movement.

Over time the family has used a wide range of encrypted file extensions and ransom note file names/types. We have included below those we encountered during our investigation, but this list should not be considered complete for all versions and variants.


Indicators of Compromise:

Indicator Description
0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad Sample SHA256 hash
461f8a55ea2eecfcc26562326af4b56fbaf8e4957a4a6e0b75bec8ee90ace078 Sample SHA256 hash
d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532 Sample SHA256 hash
c5bef2a489740192a0b2c34cdc2fd954d0b8d5fabcbe0ecb8b78f9301e5a30a6 Sample SHA256 hash
a25c0227728878c386ab6dba139976cb10e853dd3cd1eb3623f236ee8e1df212 Sample SHA256 hash
!!!HOW_TO_DECRYPT!!!.mht Ransomnote file name
HOW_TO_RECOVER_DATA.html Ransomnote file name
Recovery_Instructions.html Ransomnote file name
Recovery_Instructions.mht Ransomnote file name
C:\Users\Admin\Desktop\README_LOCK.TXT Ransomnote file name
C:\Users\Admin\AppData\Roaming\KEY.FILE Dropped file
.gpay, .L54, .L16, .L47, .keversen, .Readinstruction, .grlock, .1btc Observed encrypted file extensions
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = “1” Registry write

eCh0raix Ransomware

The eCh0raix family has been around since July 2019, gaining its name from a string observed within the early samples. It is a Linux-based ransomware specifically designed to target network-attached storage (NAS) devices, originally focussing on just those made by QNAP Systems Inc. and later expanding to also affect Synology products using a very similar method of infection.

The ransomware exploits vulnerabilities in the NAS devices to gain initial access. For example, PaloAlto recently reported that new variants were observed leveraging a CVE for QNAP devices (CVE-2021-28799) which had been covered in a security advisory from the manufacturers back in April this year.

The new version observed by PaloAlto also marks the first time that the family has targeted both QNAP and Synology devices with the same campaign, with previous iterations only being able to target one or the other at a time.

For a detailed writeup of the family check out PaloAlto’s writeup of the new variants from August this year or Anomali’s initial blogpost on the first versions seen in the wild.


Added Family Detection for VanillaRAT

VanillaRAT is yet another “for educational purposes only” piece of open-source malware which you can download freely from Github. The main project was ended in 2019 but as it’s open source anyone can feasibly create new variants without much effort.

The family is a fully featured RAT with the ability to gather signification information about an infected machine. According to the readme it includes features like:

We recently noticed a sample of the family being submitted to Triage, so we have taken a look at them and implemented relevant family detections to classify them correctly.


Indicators of Compromise:

Indicator Description
92d129825bda8b18723026a90fcc19bed5614c7ba17b1a50e1ed91518fc93752 Sample SHA256 hash

You may also like: